Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.

Similar presentations


Presentation on theme: "CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th."— Presentation transcript:

1 CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th

2 Units of Protection  Memory  I/O devices  Programs  Data

3 Levels of Protection  None  Isolation –No sharing of processes or resources  Share all or nothing –Public or private  Limit access : permissions  Limit users  Dynamic sharing

4 Protection Schemes  Control access to entities  Decryption –Protects data and memory  Access tokens –Protects devices and network nodes  General techniques –Authentication –Authorization

5 Authentication  Verifying that user is truly user  Types: –Physical : Check IP address of machine –User : User id and password –Process : Thread is associated with proper user process

6 Physical Authentication  Checks IP address of machine  How secure? –Same technique used by web sites –IP addresses can be changed  Requires knowledge  Change too much, won’t match protocol details

7 User Authentication  Key is password  How secure? –Password must be complex enough  Easy to guess if all lowercase  Mix of letters, digits, and special characters –Store encrypted  Hacker could read text file  Encryption code stored separately

8 Process Authentication  Most secure  Uses process status register –Changed with each context switch –Hacker program would cause context switch  Best hacker could do would be to deactivate this scheme

9 Firewalls  Protects email  Allows mail only from trusted sources  Separates attachments to isolated areas

10 Web Traffic Security  Secure Sockets Layer –Included in https secure protocol  Authentication server –Uses credentials of user to create unique ticket and session key –Ticket encrypted using session key  Secure cookie encryption –Return to previous web site –Prevents reroutes

11 Software Authentication  Verify that software is authentic and can be trusted  Trusted source for downloaded software  Digital signature to ensure unaltered

12 Authorization schemes   Limit access to only approved users, processes, or procedures   Schemes: – –Permissions : mostly associated with users or groups – –Memory keys : protects data areas

13 Permissions  UNIX has simple file protection mask  Windows uses permission groups  These protect files and directories

14 Permission Policy Commands  Transfer  Grant  Delete  Copy access  Give access level  Remove access

15 Memory Keys  Used to protect specific data areas  Memory key is binary bit pattern attached to data location  Only process with same memory key can access

16 Security Access Matrix  Most operating systems combine security techniques  Combination is called “access matrix”  Trick is finding most security with least cost and least impact to efficiency

17 Ring Architecture  Concentric domains where innermost is most secure and outer is least  Files are placed in appropriate ring  Access to an inner ring is granted only through a monitored entry point –Entry requires appropriate authorization –Only one entry at a time; prevents piggybacking

18 Collapsed Access Matrix  Collection of access control data  Access Control List is column-based –List of all entities’ access to particular protected object  Capacity is row-based –List of all permissions of a particular entity

19 Encryption  Convert clear data to ciphered data and back again  Encrypt() and decrypt()  Types: –Private key : share encryption between trusted sources –Public key : support multiple interaction types

20 Private Key Encryption  Symmetric : same key used to encrypt and decrypt  Data Encryption Standard –Complex series of substitutions and permutations on smaller blocks –Pattern changes daily

21 Public Key Encryption  Two-part data encryption –Uses a public one that is available to anyone wishing to interact with data location –Data encrypted with private one –Decrypt function sent to requestor if passes authorization


Download ppt "CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th."

Similar presentations


Ads by Google